Forum Discussion
Solved
Advice on moving from AD Connect with Password Sync to ADFS
Environment AD Connect with Single Sign On and Password sync and Hybrid Exchange enabled. I am using one server LAN based running AD Connect. If I move to ADFS, I understand that I will need the...
You can reuse the existing server, that's not a problem. Having a single AD FS server (or WAP one) is a recipe for disaster however, you should have at minimum 2+2 to ensure HA.
You can use Server 2016. You can use the AD FS server to restrict logins based on criteria such as IP or protocol used, but the implementation depends on several factors (such as the use of Modern authentication), and in some cases Conditional access might be a better solution. I dont have enough time to write a proper answer now, but this has been discussed numerous time already, do a search on the internet to find the relevant articles.
You can find the instructions about switching between federated and managed ids with password sync here: https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx
Agree with previous comments. But be careful when it comes to switching from federated to managed identity when ADFS is unavailable. The Convert-MsolDomainToStandard command requires ADFS to be available.
If ADFS is not available, use
Set-MsolDomainAuthentication -DomainName mydomain.com –Authentication Managed
More info here
That's good to know Shane, I've not had to recover authentication from ADFS in the event of a farm failure so never hit that!
Paul.